SSH mysteriously stops working

Although I REALLY didn't change anything, SSH has mysteriously stopped working. When going out, I get asked for a password when normally that's not the case (but then things work). When coming in, there is a message that they key has changed and I get prompted for a password when normally that's not the case, then it looks like the password is invalid (although it actually is valid, as logging in without SSH shows). The same behaviour for accounts which always prompt for a password. Any ideas? I have to admit that I don't know much about SSH. I set it up about 4 years ago and since then it has "just worked". A few months ago, I set things up so that some accounts didn't get the password prompt, and that has been working fine since then as well, with no effects on accounts which prompt for passwords. There doesn't appear to be anything strange about the timestamps in [.SSH2].

On Thu, 19 May 2011 05:48:53 +0000, Phillip Helbig---undress to reply wrote: > Although I REALLY didn't change anything, SSH has mysteriously stopped > working. When going out, I get asked for a password when normally > that's not the case (but then things work). When coming in, there is a > message that they key has changed and I get prompted for a password when > normally that's not the case, then it looks like the password is invalid > (although it actually is valid, as logging in without SSH shows). The > same behaviour for accounts which always prompt for a password. > > Any ideas? > > I have to admit that I don't know much about SSH. I set it up about 4 > years ago and since then it has "just worked". A few months ago, I set > things up so that some accounts didn't get the password prompt, and that > has been working fine since then as well, with no effects on accounts > which prompt for passwords. > > There doesn't appear to be anything strange about the timestamps in > [.SSH2]. What OS is running on the other system? -- Use the BIG mirror service in the UK: http://www.mirrorservice.org *lightning protection* - a w_tom conductor

Phillip Helbig---undress to reply wrote: > Although I REALLY didn't change anything, SSH has mysteriously stopped > working. When going out, I get asked for a password when normally > that's not the case (but then things work). When coming in, there is a > message that they key has changed and I get prompted for a password when > normally that's not the case, then it looks like the password is invalid > (although it actually is valid, as logging in without SSH shows). The > same behaviour for accounts which always prompt for a password. > > Any ideas? > > I have to admit that I don't know much about SSH. I set it up about 4 > years ago and since then it has "just worked". A few months ago, I set > things up so that some accounts didn't get the password prompt, and that > has been working fine since then as well, with no effects on accounts > which prompt for passwords. > > There doesn't appear to be anything strange about the timestamps in > [.SSH2]. > Did you also try with a "just-created" account which was not used for ssh at all before the test? Jouk

On Thu, 19 May 2011 05:53:31 +0000, Phillip Helbig---undress to reply wrote: > In article <93jpfhFc1cU1@mid.individual.net>, Bob Eager > <rde42@spamcop.net> writes: > >> What OS is running on the other system? > > Linux. Have you upgraded anything on Linux recently? I ask because I had exactly this problem on my BSD systems, and it turned out that the default key type had changed from DSA to RSA. -- Use the BIG mirror service in the UK: http://www.mirrorservice.org *lightning protection* - a w_tom conductor

In article <93k0lsFc1cU4@mid.individual.net>, Bob Eager <rde42@spamcop.net> wrote: > On Thu, 19 May 2011 05:53:31 +0000, Phillip Helbig---undress to reply > wrote: > > > In article <93jpfhFc1cU1@mid.individual.net>, Bob Eager > > <rde42@spamcop.net> writes: > > > >> What OS is running on the other system? > > > > Linux. > > Have you upgraded anything on Linux recently? I ask because I had exactly > this problem on my BSD systems, and it turned out that the default key > type had changed from DSA to RSA. That fits with the way that SSH works. If the first connection method it tries (keys in this case) fails, it tries the next method (password in this case). -- Paul Sture

On 19-5-2011 9:54, Bob Eager wrote: > Have you upgraded anything on Linux recently? I ask because I had exactly > this problem on my BSD systems, and it turned out that the default key > type had changed from DSA to RSA. This happened to me as well once, if I remember correctly. It may've also been a mismatch of a SSH protocol version or of the encryption cipher in my case, perhaps a combination of both. - MG

Phillip Helbig---undress to reply wrote: > key has changed Did You try to delete or rename the old key of the Linux system in [.SSH2.hostkeys] ? -- Remove NOREPLY. from Email address. Joseph Huber, http://www.huber-joseph.de

In article <4dd4e561$0$49175$e4fe514c@news.xs4all.nl>, MG <marcogbNO@SPAMxs4all.nl> wrote: > On 19-5-2011 9:54, Bob Eager wrote: > > Have you upgraded anything on Linux recently? I ask because I had exactly > > this problem on my BSD systems, and it turned out that the default key > > type had changed from DSA to RSA. > > This happened to me as well once, if I remember correctly. It may've > also been a mismatch of a SSH protocol version or of the encryption > cipher in my case, perhaps a combination of both. > And I have noticed several SSH and related security patches arriving on my Linux instances in the last week or two. -- Paul Sture

On Thu, 19 May 2011 11:31:03 +0200, Paul Sture wrote: > In article <93k0lsFc1cU4@mid.individual.net>, > Bob Eager <rde42@spamcop.net> wrote: > >> On Thu, 19 May 2011 05:53:31 +0000, Phillip Helbig---undress to reply >> wrote: >> >> > In article <93jpfhFc1cU1@mid.individual.net>, Bob Eager >> > <rde42@spamcop.net> writes: >> > >> >> What OS is running on the other system? >> > >> > Linux. >> >> Have you upgraded anything on Linux recently? I ask because I had >> exactly this problem on my BSD systems, and it turned out that the >> default key type had changed from DSA to RSA. > > That fits with the way that SSH works. If the first connection method > it tries (keys in this case) fails, it tries the next method (password > in this case). Yes. In my case, all the hosts held public DSA keys, and all the clients were trying DSA first. When I upgraded a client, it started trying RSA first, so complained about the fingerprint and dropped back to passwords. Easy to fix; I just issued RSA public keys. -- Use the BIG mirror service in the UK: http://www.mirrorservice.org *lightning protection* - a w_tom conductor

In article <d949a$4dd4b9cb$82a13c9d$20341@news1.tudelft.nl>, JOUKJ <joukj@hrem.nano.tudelft.nl> writes: > Did you also try with a "just-created" account which was not used for > ssh at all before the test? Not yet. Maybe I'll have to. Here is the message I get when trying to get in from outside. (Contrary to what I mentioned before, OUTGOING access seems OK.) @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: POSSIBLE DNS SPOOFING DETECTED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ The DSA host key for multivax.de has changed, and the key for the corresponding IP address 217.226.76.212 is unchanged. This could either mean that DNS SPOOFING is happening or the IP address for the host and its host key have changed at the same time. Offending key for IP in /home/foobar/.ssh/known_hosts:5 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that the DSA host key has just been changed. The fingerprint for the DSA key sent by the remote host is f1:f2:2f:53:d5:cd:ae:3f:97:90:e5:01:21:33:d4:aa. Please contact your system administrator. Add correct host key in /home/foobar/.ssh/known_hosts to get rid of this message. Offending key in /home/foobar/.ssh/known_hosts:1 DSA host key for multivax.de has changed and you have requested strict checking. Host key verification failed. Note that a) I have an IP address which changes usually once a day and b) whatever node has the cluster IP address will respond to the incoming request. Both the IP address and also the node with the cluster alias have changed in the past. SSH probably wasn't meant for this sort of setup. Could the problem be that the IP address and the cluster-alias node changed at the same time?

In article <ir2pqb$1uhs$1@gwdu112.gwdg.de>, Joseph Huber <joseph.huber@NOREPLY.web.de> writes: > Phillip Helbig---undress to reply wrote: > > > key has changed > > Did You try to delete or rename the old key of the Linux system in > [.SSH2.hostkeys] ? Not yet. First, I would like to understand which key (the message mentions 2) and why the problem is occurring in the first place.

On May 19, 8:55=A0am, hel...@astro.multiCLOTHESvax.de (Phillip Helbig--- undress to reply) wrote: > In article <d949a$4dd4b9cb$82a13c9d$20...@news1.tudelft.nl>, JOUKJ > > <jo...@hrem.nano.tudelft.nl> writes: > > Did you also try with a "just-created" account which was not used for > > ssh at all before the test? > > Not yet. =A0Maybe I'll have to. =A0Here is the message I get when trying = to > get in from outside. =A0(Contrary to what I mentioned before, OUTGOING > access seems OK.) > > @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ > @ =A0 =A0 =A0 WARNING: POSSIBLE DNS SPOOFING DETECTED! =A0 =A0 =A0 =A0 = =A0@ > @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ > The DSA host key for multivax.de has changed, > and the key for the corresponding IP address 217.226.76.212 > is unchanged. This could either mean that > DNS SPOOFING is happening or the IP address for the host > and its host key have changed at the same time. > Offending key for IP in /home/foobar/.ssh/known_hosts:5 > @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ > @ =A0 =A0WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! =A0 =A0 @ > @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ > IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! > Someone could be eavesdropping on you right now (man-in-the-middle > attack)! > It is also possible that the DSA host key has just been changed. > The fingerprint for the DSA key sent by the remote host is > f1:f2:2f:53:d5:cd:ae:3f:97:90:e5:01:21:33:d4:aa. > Please contact your system administrator. > Add correct host key in /home/foobar/.ssh/known_hosts to get rid of this > message. > Offending key in /home/foobar/.ssh/known_hosts:1 > DSA host key for multivax.de has changed and you have requested strict > checking. > Host key verification failed. > > Note that a) I have an IP address which changes usually once a day and > b) whatever node has the cluster IP address will respond to the incoming > request. =A0Both the IP address and also the node with the cluster alias > have changed in the past. =A0SSH probably wasn't meant for this sort of > setup. =A0Could the problem be that the IP address and the cluster-alias > node changed at the same time? When using a cluster alias, you really want all cluster members to use the same host key. Under: HP TCP/IP Services for OpenVMS Alpha Version V5.6 - ECO 3 on an hp AlphaServer GS1280 7/1300 running OpenVMS V8.3 the ssh hostkey is located in TCPIP$SSH_DEVICE:[TCPIP$SSH.SSH2], where TCPIP$SSH_DEVICE defaults to SYS$SYSDEVICE. IIRC, you have several system disks in your cluster. So you really have two choices: 1) Reconfigure TCPIP$SSH_DEVICE to point to your cluster-common disk (I don't know if this is supported of feasible...); 2) Choose one "master" node, and copy its HOSTKEY. and HOSTKEY.PUB to the other cluster members' ssh directories. Once the change is made, connecting from your various "outside" systems will ask you to confirm the new hostkey (except for the node that you copied from). Just confirm with a "yes" and get on with your life. :-) [I think this is all that's needed; you may need to copy the HOSTKEY.PUB to the outside system, but I think the SSH protocol will do that for you if you confirm that you want to connect.] -Ken

On May 19, 10:33=A0pm, Ken Fairfield <ken.fairfi...@gmail.com> wrote: > On May 19, 8:55=A0am, hel...@astro.multiCLOTHESvax.de (Phillip Helbig--- > IIRC, you have several system disks in your cluster. So you > really have two choices: > =A0 =A01) Reconfigure TCPIP$SSH_DEVICE to point to your > =A0 =A0 =A0 =A0cluster-common disk (I don't know if this is supported > =A0 =A0 =A0 =A0of feasible...); > > =A0 =A02) Choose one "master" node, and copy its HOSTKEY. and > =A0 =A0 =A0 =A0HOSTKEY.PUB to the other cluster members' =A0ssh > =A0 =A0 =A0 =A0directories. > Both work, but method 2 gives you less headaches when you need to upgrade TCPIP. A lot of services, and SSH is definitely one of them have been written with VMS clusters as an afterthought. This all from teeth grinding personal experience. Jose

Phillip Helbig---undress to reply wrote: > In article <d949a$4dd4b9cb$82a13c9d$20341@news1.tudelft.nl>, JOUKJ > <joukj@hrem.nano.tudelft.nl> writes: > >> Did you also try with a "just-created" account which was not used for >> ssh at all before the test? > > Not yet. Maybe I'll have to. Here is the message I get when trying to > get in from outside. (Contrary to what I mentioned before, OUTGOING > access seems OK.) > > @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ > @ WARNING: POSSIBLE DNS SPOOFING DETECTED! @ > @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ > The DSA host key for multivax.de has changed, [snip] ... > Add correct host key in /home/foobar/.ssh/known_hosts to get rid of this > message. > Offending key in /home/foobar/.ssh/known_hosts:1 > DSA host key for multivax.de has changed and you have requested strict > checking. > Host key verification failed. > > Note that a) I have an IP address which changes usually once a day and > b) whatever node has the cluster IP address will respond to the incoming > request. Both the IP address and also the node with the cluster alias > have changed in the past. SSH probably wasn't meant for this sort of > setup. Could the problem be that the IP address and the cluster-alias > node changed at the same time? I think that's the usual consequence of a key change. Just follow the advice to delete the offending key, then the new one will be stored at the next login, I never had a problem afterwards. And the problem of cluster alias and changing IP address: that should be no problem, the host keys are stored with the host's domain name (if available). But of course all nodes participating in a cluster alias should have the same hostkey. Well, different systems/ssh versions seem to behave different: on my desktop Linux I see mostly IP addresses, but a few domain names. On VMS (TCPIP 5.4) is see mostly domain names. So having a common hostkey in a cluster is probably the safe way. -- Remove NOREPLY. from Email address. Joseph Huber, http://www.huber-joseph.de

Ken Fairfield wrote: > On May 19, 8:55 am, hel...@astro.multiCLOTHESvax.de (Phillip Helbig--- > undress to reply) wrote: >> In article <d949a$4dd4b9cb$82a13c9d$20...@news1.tudelft.nl>, JOUKJ >> >> <jo...@hrem.nano.tudelft.nl> writes: >>> Did you also try with a "just-created" account which was not used for >>> ssh at all before the test? >> Not yet. Maybe I'll have to. Here is the message I get when trying to >> get in from outside. (Contrary to what I mentioned before, OUTGOING >> access seems OK.) >> >> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ >> @ WARNING: POSSIBLE DNS SPOOFING DETECTED! @ >> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ >> The DSA host key for multivax.de has changed, >> and the key for the corresponding IP address 217.226.76.212 >> is unchanged. This could either mean that >> DNS SPOOFING is happening or the IP address for the host >> and its host key have changed at the same time. >> Offending key for IP in /home/foobar/.ssh/known_hosts:5 >> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ >> @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ >> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ >> IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! >> Someone could be eavesdropping on you right now (man-in-the-middle >> attack)! >> It is also possible that the DSA host key has just been changed. >> The fingerprint for the DSA key sent by the remote host is >> f1:f2:2f:53:d5:cd:ae:3f:97:90:e5:01:21:33:d4:aa. >> Please contact your system administrator. >> Add correct host key in /home/foobar/.ssh/known_hosts to get rid of this >> message. >> Offending key in /home/foobar/.ssh/known_hosts:1 >> DSA host key for multivax.de has changed and you have requested strict >> checking. >> Host key verification failed. >> >> Note that a) I have an IP address which changes usually once a day and >> b) whatever node has the cluster IP address will respond to the incoming >> request. Both the IP address and also the node with the cluster alias >> have changed in the past. SSH probably wasn't meant for this sort of >> setup. Could the problem be that the IP address and the cluster-alias >> node changed at the same time? > > When using a cluster alias, you really want all cluster members > to use the same host key. Under: > > HP TCP/IP Services for OpenVMS Alpha Version V5.6 - ECO 3 > on an hp AlphaServer GS1280 7/1300 running OpenVMS V8.3 > > the ssh hostkey is located in TCPIP$SSH_DEVICE:[TCPIP$SSH.SSH2], > where TCPIP$SSH_DEVICE defaults to SYS$SYSDEVICE. > > IIRC, you have several system disks in your cluster. So you > really have two choices: > > 1) Reconfigure TCPIP$SSH_DEVICE to point to your > cluster-common disk (I don't know if this is supporte > of feasible...); > > 2) Choose one "master" node, and copy its HOSTKEY. and > HOSTKEY.PUB to the other cluster members' ssh > directories. > > Once the change is made, connecting from your various "outside" > systems will ask you to confirm the new hostkey (except for the > node that you copied from). Just confirm with a "yes" and get > on with your life. :-) [I think this is all that's needed; you may > need to copy the HOSTKEY.PUB to the outside system, but > I think the SSH protocol will do that for you if you confirm that > you want to connect.] > > -Ken Note that also the information in the linux system should be adapted, because you still have the "old" information in the /home/footbar/.ssh/knownhosts file. Delete the offending lines from this file. The error message above is not generated by your VMS cluster but by your linux system, which detects a "wrong" key. If you do not use your Ip-adresses/names for other systems than the cluster (i.e. never ssh a linux system from linux with any of these adresses) Ken's solution will work after the modifaction of the knownhosts file.